Backend DevelopmentPHP TutorialResearch on PHP application security prevention technology_PHP tutorialResearch on PHP application security prevention technology_PHP tutorial
PHP security prevention program model
/* PHP anti-injection cross-site V1.0
Add: require(“menzhi_injection.php”);
at the top of your page to prevent SQL injection and XSS cross-site vulnerabilities.
##################Defects and Improvements##################
There are still many defects in the program , I hope you can help improve it
##################References and Acknowledgments##################
Neeao'ASP SQL universal anti-injection program V3.0
Part of the code is referenced from Discuz!
*/
error_reporting(0);
define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());
$menzhi_injection="'|;|and|(|)|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|or|char|declare";
menzhi_injection = explode("|",$menzhi_injection);
foreach(array('_GET', '_POST', '_COOKIE','_REQUEST') as $_request) {
foreach($$_request as $ _key => $_value) {
//$_value = strtolower($_value);
$_key{0} != '_' && $$_key = daddslashes($_value); ($menzhi_injection as $kill_key => $kill_value) {
if(substr_count($_value,$kill_value)>0) {
echo "";
unset($_value);
exit();
}
}
//echo "
".$_value;
}
}
function daddslashes($string) {
if( !MAGIC_QUOTES_GPC) {
if(is_array($string)) {
foreach($string as $key => $val) {
$string[$key] = daddslashes($val);
}
} else {
$string = addslashes($string);
}
}
$string = preg_replace('/&(((#(d{3,5}) |x[a-fA-F0-9]{4}));)/', '&\1',str_replace(array('&', '"', ''), array('&', '"', ''), $string));
return $string;
}
?>
Add: "require("menzhi_injection.php");" at the top of your page to prevent SQL injection and XSS cross-site vulnerabilities. To call this program, we use require() instead of include(), because if an error occurs in the file called by require(), the program will be terminated, and include() will ignore it. And when require() calls a file, the external file will be called first as soon as the program is run. Inculde() only starts execution when it reaches this line. Based on the function characteristics, we choose require(). You can also add or delete filter characters in the $menzhi_injection variable according to actual needs to achieve better defense effects. Furthermore, you can modify the code yourself, and you may gain unexpected results. Ordinary injections can be defended. The following test is just for ridicule. The following is the test effect of a one-sentence Trojan:
Hehe, if you are tempted, just call it at the top of your page. Remember "require("menzhi_injection.php");" Oh. This is just a gimmick to arouse everyone's interest, please test it yourself. Defects and improvements to be made
Since this program is only an external call, it only handles externally submitted variables, and does not conduct a systematic analysis of your application, so it has many limitations, so please use it with caution. For programs that use GBK encoding, there is also the risk of double-byte encoding vulnerabilities. Although this program can handle this vulnerability. But to curb these loopholes, we still need to start from the root cause. Need to handle the database connection file, we can add character_set_client=binary. The database connection class db_mysql.class.php of Discuz!7.0 is very well written and you can refer to it. Of course, these are not the scope of this small program.
And this program does not filter the $_SERVER $_ENV $_FILES system variables. For example, when the $_SERVER['HTTP_X_FORWARDED_FOR'] system obtains the IP, hackers can change its value by hijacking and modifying the original HTTP request packet. This program can handle these vulnerabilities. But as programmers, what we need is to deal with external variables from the root cause, take precautions before they happen, and take precautions.
The program is very messy. Everyone is welcome to test it. If you have any comments or suggestions, please contact me directly.
Conclusion
Finally, I wish you all success in your studies and work, and pay tribute to all the hard-working PHPers.
PHP Email: Step-by-Step Sending GuideMay 09, 2025 am 12:14 AMPHPisusedforsendingemailsduetoitsintegrationwithservermailservicesandexternalSMTPproviders,automatingnotificationsandmarketingcampaigns.1)SetupyourPHPenvironmentwithawebserverandPHP,ensuringthemailfunctionisenabled.2)UseabasicscriptwithPHP'smailfunct
How to Send Email via PHP: Examples & CodeMay 09, 2025 am 12:13 AMThe best way to send emails is to use the PHPMailer library. 1) Using the mail() function is simple but unreliable, which may cause emails to enter spam or cannot be delivered. 2) PHPMailer provides better control and reliability, and supports HTML mail, attachments and SMTP authentication. 3) Make sure SMTP settings are configured correctly and encryption (such as STARTTLS or SSL/TLS) is used to enhance security. 4) For large amounts of emails, consider using a mail queue system to optimize performance.
Advanced PHP Email: Custom Headers & FeaturesMay 09, 2025 am 12:13 AMCustomheadersandadvancedfeaturesinPHPemailenhancefunctionalityandreliability.1)Customheadersaddmetadatafortrackingandcategorization.2)HTMLemailsallowformattingandinteractivity.3)AttachmentscanbesentusinglibrarieslikePHPMailer.4)SMTPauthenticationimpr
Guide to Sending Emails with PHP & SMTPMay 09, 2025 am 12:06 AMSending mail using PHP and SMTP can be achieved through the PHPMailer library. 1) Install and configure PHPMailer, 2) Set SMTP server details, 3) Define the email content, 4) Send emails and handle errors. Use this method to ensure the reliability and security of emails.
What is the best way to send an email using PHP?May 08, 2025 am 12:21 AMThebestapproachforsendingemailsinPHPisusingthePHPMailerlibraryduetoitsreliability,featurerichness,andeaseofuse.PHPMailersupportsSMTP,providesdetailederrorhandling,allowssendingHTMLandplaintextemails,supportsattachments,andenhancessecurity.Foroptimalu
Best Practices for Dependency Injection in PHPMay 08, 2025 am 12:21 AMThe reason for using Dependency Injection (DI) is that it promotes loose coupling, testability, and maintainability of the code. 1) Use constructor to inject dependencies, 2) Avoid using service locators, 3) Use dependency injection containers to manage dependencies, 4) Improve testability through injecting dependencies, 5) Avoid over-injection dependencies, 6) Consider the impact of DI on performance.
PHP performance tuning tips and tricksMay 08, 2025 am 12:20 AMPHPperformancetuningiscrucialbecauseitenhancesspeedandefficiency,whicharevitalforwebapplications.1)CachingwithAPCureducesdatabaseloadandimprovesresponsetimes.2)Optimizingdatabasequeriesbyselectingnecessarycolumnsandusingindexingspeedsupdataretrieval.
PHP Email Security: Best Practices for Sending EmailsMay 08, 2025 am 12:16 AMThebestpracticesforsendingemailssecurelyinPHPinclude:1)UsingsecureconfigurationswithSMTPandSTARTTLSencryption,2)Validatingandsanitizinginputstopreventinjectionattacks,3)EncryptingsensitivedatawithinemailsusingOpenSSL,4)Properlyhandlingemailheaderstoa
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
